Skip to main content
close search
site logo
Dive Brief

500M hit by Marriott data breach; intrusion undetected since 2014

Published Nov. 30, 2018
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Whistle Sports

Dive Brief:

  • Marriott International disclosed a data breach impacting 500 million guests, according to a company announcement Friday. About 327 million of those guests had information such as passport numbers and addresses compromised. Payment card numbers were also duplicated for some guests.
  • The hospitality company found its Starwood reservation database had been compromised since 2014. The perpetrators had copied and encrypted the information and begun the process of removing it.
  • Law enforcement has been notified and Marriott is in the midst of notifying necessary regulatory authorities, according to the announcement.

Dive Insight:

Equifax, Yahoo and Uber were the most notorious disclosed breaches of 2017, and 2018 almost squeaked by without a breach massive enough to compare. Until now.

Marriott's security shortcomings "underscore the sheer folly of continued reliance on outdated security methods such as using PII in authentication," said Bimal Gandhi, CEO of Uniken, in an email to CIO Dive.

Marriott was notified of an intrusion on Sept. 8 by an internal security tool, alerting the company of an unauthorized attempt to access its Starwood guest reservation platform.

Marriott didn't complete its acquisition of Starwood Hotels and Resorts Worldwide until September 2016. The deal created the largest hotel chain in the world.

System migrations can take years, and companies can unknowingly inherit flaws. Ensuring security continuity among systems acquired in a business deal requires audits and experts to ensure systems are streamlined. 

The company enlisted security experts to investigate the intrusion and found the access point from 2014. By November 19, Marriott was able to decrypt the stolen data.

The investigation is ongoing but has found that for about 327 million impacted guests in the Starwood Preferred Guest platform, the following information was impacted:

  • Mailing address
  • Phone numbers
  • Email
  • Passport numbers
  • Starwood Preferred Guest account information
  • Birth date
  • Gender
  • Arrival and departure information
  • Reservation date and communication preferences

With information so easily sold and distributed on the dark web, Marriott's security breach "represents a potential point of attack" on its impacted guests, said Gandhi.

Recommended Reading

Filed Under: Security

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
truCX Launches Groundbreaking Partner Portal, Empowering CX Consultants and Trusted Advisors w…
From truCX
October 30, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
Blackpoint Cyber Launches Global Partner Program and Enablement Platform Emphasizing a Focus o…
From Blackpoint Cyber
October 30, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell